The KernelCare extra patchset includes all the security fixes from KernelCare for CentOS 6 and CentOS 7, as well as the symlink protection against a symlink race.
A symlink race attack is often used against shared hosting servers. It allows a malicious user to serve files that belong to other users by creating a symbolic link to those files. It is often used to access config.php files that belong to other users.
This extra patchset also includes the IPSet bugfix for CentOS 6.
We recommend you install this patchset for KernelCare running on CentOS 6 and CentOS 7. It is a requirement for Imunify360 for CentOS 6.
Note. For CloudLinux OS users this patch has already been compiled in the kernel.
The extra patchset is available in version 2.12-5 and newer.
To enable extra patches and apply patch, run:
kcarectl --set-patch-type extra --update
To enable extra patches without update, run
kcarectl --set-patch-type extra
The ‘extra’ patch will be applied on the next automatic update.
To see details run:
You should see something similar to:
time: 2017-07-31 22:46:22
kpatch-description: symlink protection // If you see this patch, it means that you can enable symlink protection.
kpatch-description: symlink protection (kpatch adaptation)
kpatch-description: fix ipset list shrinking for no reason
To enable Symlink Owner Match Protection, add the following lines:
fs.enforce_symlinksifowner = 1
fs.symlinkown_gid = 48
sysctl -w fs.enforce_symlinksifowner=1
sysctl -w fs.symlinkown_gid=48
Note: On standard RPM Apache installation, Apache is usually running under GID 48. On cPanel servers, Apache is running under user nobody, GID 99.
Click here to learn more about KernelCare.